Add Apache-style CGI query escaping and STRICT_CGI_PARAMS whitelist; update compile.cmd to use PP env var and standard 7-Zip path; update copyright to 2025

maximmasiutin · maximmasiutin · commit 876b7e2887f4 · 2025-11-23T11:51:54.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,13 @@
+.git
+.gitignore
+*.exe
+*.obj
+*.o
+*.dcu
+*.bak
+*.7z
+*.log
+*.md
+Dockerfile
+Dockerfile.old
+Dockerfile.new
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,5 @@
+FROM debian:stable-slim
+RUN apt-get update && apt-get install -y mingw-w64 && rm -rf /var/lib/apt/lists/*
+COPY CGITEST/login.c /app/login.c
+WORKDIR /app
+RUN x86_64-w64-mingw32-gcc -o login.exe login.c
diff --git a/SRC/SrvMain.pas b/SRC/SrvMain.pas
@@ -1,7 +1,7 @@
 //////////////////////////////////////////////////////////////////////////
 //
 // TinyWeb
-// Copyright (C) 2021-2023 Maxim Masiutin
+// Copyright (C) 2021-2025 Maxim Masiutin
 // Copyright (C) 2000-2017 RITLABS S.R.L.
 // Copyright (C) 1997-2000 RIT Research Labs
 //
@@ -796,6 +796,71 @@ procedure TPipeReadStdThread.Execute;
   until False;
 end;
 
+// CGI Query Parameter Security Functions
+// Implements defense-in-depth for ISINDEX-style queries per RFC 3875 Section 4.4
+// Reference: https://datatracker.ietf.org/doc/html/rfc3875#section-4.4
+//
+// Two layers of protection:
+// 1. Whitelist validation (optional, enabled by STRICT_CGI_PARAMS define)
+// 2. Apache-style shell metacharacter escaping (always active)
+
+{$IFDEF STRICT_CGI_PARAMS}
+// Whitelist validation: Only allow safe characters in CGI query parameters
+// Returns True if the parameter contains only safe characters
+// This is the first layer - rejects requests with unsafe characters
+function IsQueryParamSafe(const s: AnsiString): Boolean;
+var
+  i: Integer;
+  c: AnsiChar;
+begin
+  Result := True;
+  for i := 1 to Length(s) do
+  begin
+    c := s[i];
+    // Allow: A-Z, a-z, 0-9, hyphen, underscore, dot, forward slash, backslash, colon
+    if not ((c >= 'A') and (c <= 'Z')) and
+       not ((c >= 'a') and (c <= 'z')) and
+       not ((c >= '0') and (c <= '9')) and
+       (c <> '-') and (c <> '_') and (c <> '.') and
+       (c <> '/') and (c <> '\') and (c <> ':') then
+    begin
+      Result := False;
+      Exit;
+    end;
+  end;
+end;
+{$ENDIF}
+
+// Apache-style shell metacharacter escaping for Windows
+// Escapes dangerous characters with caret (^) and wraps in quotes
+// Based on Apache httpd ap_escape_shell_cmd() and PHP escapeshellcmd()
+// This is the second layer - always active as defense-in-depth
+// Reference: https://datatracker.ietf.org/doc/html/rfc3875#section-7.2
+function EscapeShellParam(const s: AnsiString): AnsiString;
+const
+  // Windows shell metacharacters that need escaping
+  DangerousChars = '&|<>^()%!"''`;$[]{}*?~';
+var
+  i: Integer;
+  c: AnsiChar;
+begin
+  Result := '';
+  for i := 1 to Length(s) do
+  begin
+    c := s[i];
+    // Block newlines entirely - cannot be safely escaped on Windows
+    if (c = #10) or (c = #13) then
+      Continue;
+    // Escape dangerous characters with caret (Windows cmd.exe escape char)
+    if Pos(c, DangerousChars) > 0 then
+      Result := Result + '^';
+    Result := Result + c;
+  end;
+  // Wrap in quotes for additional safety
+  if Result <> '' then
+    Result := '"' + Result + '"';
+end;
+
 function ExecuteScript(const AExecutable, APath, AScript, AQueryParam, AEnvStr,
   AStdInStr: AnsiString; Buffer: THTTPServerThreadBuffer; SelfThr: TThread;
   var ErrorMsg: AnsiString): TEntityHeader;
@@ -852,8 +917,9 @@ function ExecuteScript(const AExecutable, APath, AScript, AQueryParam, AEnvStr,
     s := AExecutable
   else
     s := AExecutable + ' ' + AScript;
+  // Apply Apache-style escaping to query parameter (always active)
   if AQueryParam <> '' then
-    s := s + ' ' + AQueryParam;
+    s := s + ' ' + EscapeShellParam(AQueryParam);
   s := DelSpaces(s);
   if (s = '') or (AEnvStr = '') or (APath = '') then
   begin
@@ -1921,12 +1987,21 @@ procedure THTTPServerThread.Execute;
             CEqual := '=';
             if Pos(CEqual, URIQuery) = 0 then
             begin
+              // ISINDEX-style query (no '=' sign) per RFC 3875 Section 4.4
               URIQueryParam := URIQuery;
               if not UnpackPchars(URIQueryParam) then
                 Break;
               CZero := #0;
               if Pos(CZero, URIQueryParam) > 0 then
                 Break;
+{$IFDEF STRICT_CGI_PARAMS}
+              // Whitelist validation: reject parameters with unsafe characters
+              if not IsQueryParamSafe(URIQueryParam) then
+              begin
+                StatusCode := 400;
+                Break;
+              end;
+{$ENDIF}
             end;
           end;
           CSemicolon := ';';
diff --git a/SRC/Tiny.dpr b/SRC/Tiny.dpr
@@ -1,7 +1,7 @@
 //////////////////////////////////////////////////////////////////////////
 //
 // TinyWeb
-// Copyright (C) 2021-2023 Maxim Masiutin
+// Copyright (C) 2021-2025 Maxim Masiutin
 // Copyright (C) 2000-2017 RITLABS S.R.L.
 // Copyright (C) 1997-2000 RIT Research Labs
 //
diff --git a/SRC/compile.cmd b/SRC/compile.cmd
@@ -1,5 +1,18 @@
-@echo off
-if exist TinyWeb.7z del TinyWeb.7z
-if exist Tiny.exe del Tiny.exe
-C:\FPC\3.2.2\bin\i386-win32\fpc.exe -OpCOREAVX2 -O4 -Pi386 -Twin32 -B -MObjFPC Tiny.dpr
-7z a -mx9 TinyWeb Tiny.exe
+@echo off
+REM PP - path to Free Pascal compiler (standard FPC Makefile variable)
+REM If not set, uses fpc.exe from PATH
+
+if exist TinyWeb.7z del TinyWeb.7z
+if exist Tiny.exe del Tiny.exe
+
+if defined PP (
+    "%PP%" -OpCOREAVX2 -O4 -Pi386 -Twin32 -B -MObjFPC Tiny.dpr
+) else (
+    fpc.exe -OpCOREAVX2 -O4 -Pi386 -Twin32 -B -MObjFPC Tiny.dpr
+)
+
+if exist "%ProgramFiles%\7-Zip\7z.exe" (
+    "%ProgramFiles%\7-Zip\7z.exe" a -mx9 TinyWeb Tiny.exe
+) else (
+    7z.exe a -mx9 TinyWeb Tiny.exe
+)
diff --git a/SRC/define.inc b/SRC/define.inc
@@ -1 +1,14 @@
 {$DEFINE LOGGING}
+
+// STRICT_CGI_PARAMS: When enabled, CGI query parameters (ISINDEX-style queries
+// without '=' per RFC 3875 Section 4.4) are validated against a whitelist of
+// safe characters. Parameters containing characters outside [A-Za-z0-9._-/\:]
+// will be rejected with HTTP 400 Bad Request.
+//
+// When disabled, Apache-style shell metacharacter escaping is used instead,
+// which allows all characters but escapes dangerous ones. This provides full
+// compatibility with legacy CGI scripts that may need special characters.
+//
+// Default: ENABLED (strictest security)
+// To disable: Comment out or remove the line below
+{$DEFINE STRICT_CGI_PARAMS}
diff --git a/SRC/xBase.pas b/SRC/xBase.pas
@@ -1,7 +1,7 @@
 //////////////////////////////////////////////////////////////////////////
 //
 // TinyWeb
-// Copyright (C) 2021-2023 Maxim Masiutin
+// Copyright (C) 2021-2025 Maxim Masiutin
 // Copyright (C) 1997-2000 RIT Research Labs
 // Copyright (C) 2000-2017 RITLABS S.R.L.
 //
diff --git a/history.html b/history.html
@@ -103,5 +103,13 @@ <h2>1.97 (11 April 2023)</h2>
 <li>The file buffers of all log files are flushed, not just the logs of the access logs</li>
 <li>The query string of the GET method is also written to the access log</li>
 </ul>
+<h2>1.98 (23 November 2025)</h2>
+<ul>
+<li>Apache-style shell metacharacter escaping for CGI query parameters (always active)</li>
+<li>Optional strict whitelist validation via STRICT_CGI_PARAMS define (enabled by default)</li>
+<li>CGI query parameters protected by two layers: whitelist rejects unsafe chars, escaping sanitizes the rest</li>
+<li>Full ISINDEX query support preserved per <a href="https://datatracker.ietf.org/doc/html/rfc3875#section-4.4">RFC 3875 Section 4.4</a></li>
+<li>To allow special characters in queries, disable STRICT_CGI_PARAMS in define.inc</li>
+</ul>
 </body>
 </html>
diff --git a/licence.txt b/licence.txt
@@ -1,5 +1,5 @@
 TinyWeb 
-Copyright (C) 2021-2023 Maxim Masiutin
+Copyright (C) 2021-2025 Maxim Masiutin
 Copyright (C) 2000-2017 RITLABS S.R.L.
 Copyright (C) 1997-2000 RIT Research Labs
 
diff --git a/readme.md b/readme.md
@@ -1,32 +1,70 @@
-# TinyWeb Server 
-Version 1.97  
-Released April 11, 2023  
-Written by Maxim Masiutin  
-Copyright (C) 2021-2023 Maxim Masiutin  
-Copyright (C) 2000-2017 RITLABS S.R.L.  
-Copyright (C) 1997-2000 RIT Research Labs  
-
-## Setup
-To set up the TinyWeb Server, just create a shortcut in the Startup menu with the following properties:
-
-### Target
-`c:\www\bin\tiny.exe c:\www\root`
-### Start In
-`c:\www\log`
-
-
-Here, `c:\www\bin\tiny.exe` is the path to TinyWeb executable, `c:\www\root` is the path to www home (root) directory, and `c:\www\log` is the directory for log files that TinyWeb keeps.
-
-TinyWeb is not a windowed application, so there is no window with TinyWeb. It is also not a console application, so there is no console window for TinyWeb. Moreover, it is not a Windows Service. Once started, the `tiny.exe` process will appear in Task List. There is no way to stop Tiny Web except via the "End Task" operation.
-
-## Command-line Options
-1. First parameter (mandatory) is a path to the www home (root) directory.
-2. Second parameter (optional) is a port number. By default, it is 80 for HTTP and 443 for HTTPS(SSL/TLS).
-3. Third parameter (optional) is a dotted-decimal IP address to bind the server. By default, TinyWeb binds to all available local addresses.
-
-## Examples
-
-### Run TinyWeb on port 8000:
-`c:\www\bin\tiny.exe c:\www\root 8000`
-### Run TinyWeb on port 8000 and address 212.56.194.250:
-`c:\www\bin\tiny.exe c:\www\root 8000 212.56.194.250`
+# TinyWeb Server 
+Version 1.97  
+Released April 11, 2023  
+Written by Maxim Masiutin  
+Copyright (C) 2021-2025 Maxim Masiutin  
+Copyright (C) 2000-2017 RITLABS S.R.L.  
+Copyright (C) 1997-2000 RIT Research Labs  
+
+## Setup
+To set up the TinyWeb Server, just create a shortcut in the Startup menu with the following properties:
+
+### Target
+`c:\www\bin\tiny.exe c:\www\root`
+### Start In
+`c:\www\log`
+
+
+Here, `c:\www\bin\tiny.exe` is the path to TinyWeb executable, `c:\www\root` is the path to www home (root) directory, and `c:\www\log` is the directory for log files that TinyWeb keeps.
+
+**Note:** These paths are just examples. You can customize them to your needs. Also, make sure that an `index.html` file exists in your www home (root) directory, otherwise the server will fail to start.
+
+TinyWeb is not a windowed application, so there is no window with TinyWeb. It is also not a console application, so there is no console window for TinyWeb. Moreover, it is not a Windows Service. Once started, the `tiny.exe` process will appear in Task List. There is no way to stop Tiny Web except via the "End Task" operation.
+
+## Command-line Options
+1. First parameter (mandatory) is a path to the www home (root) directory.
+2. Second parameter (optional) is a port number. By default, it is 80 for HTTP and 443 for HTTPS(SSL/TLS).
+3. Third parameter (optional) is a dotted-decimal IP address to bind the server. By default, TinyWeb binds to all available local addresses.
+
+## Examples
+
+### Run TinyWeb on port 8000:
+`c:\www\bin\tiny.exe c:\www\root 8000`
+### Run TinyWeb on port 8000 and address 212.56.194.250:
+`c:\www\bin\tiny.exe c:\www\root 8000 212.56.194.250`
+
+## Building CGI Executables with Docker
+
+You can use Docker to cross-compile C files into Windows executables using MinGW.
+
+### Build hello.exe
+```cmd
+docker build -t tinyweb-login-c .
+```
+
+### Extract the executable and copy to cgi-bin
+```cmd
+docker create --name temp tinyweb-login-c
+docker cp temp:/app/hello.exe c:\www\root\cgi-bin\hello.exe
+docker rm temp
+```
+
+The Dockerfile uses `debian:stable-slim` with MinGW to compile `CGITEST/hello.c` into a Windows executable.
+
+## CGI Query Parameter Handling
+
+TinyWeb supports ISINDEX-style queries per [RFC 3875 Section 4.4](https://datatracker.ietf.org/doc/html/rfc3875#section-4.4). Query strings without `=` are passed as command-line arguments to CGI scripts.
+
+### Security
+
+CGI query parameters are protected by two layers:
+1. **Whitelist validation** (optional): Rejects parameters with unsafe characters
+2. **Apache-style escaping** (always active): Escapes shell metacharacters
+
+### Configuration
+
+The `STRICT_CGI_PARAMS` define in `SRC/define.inc` controls whitelist validation:
+- **Enabled (default)**: Only allows `[A-Za-z0-9._-/\:]` in query parameters
+- **Disabled**: Allows all characters (escaped for safety)
+
+To disable strict mode, comment out `{$DEFINE STRICT_CGI_PARAMS}` in `define.inc`.
